Leave us a message

Four Practical Ways Board Can Oversee Risk Management Beyond Covid-19

Corporate Governance

Four Practical Ways Board Can Oversee Risk Management Beyond Covid-19

  • Four Practical Ways Board Can Oversee Risk Management Beyond Covid-19 Leading directors offer their insights into why COVID-19 requires a new attitude toward board risk oversight.
  • Date: Dec 29, 2020
  • Category: Corporate Governance
  • Print

A critical function of boards has always been to understand and mitigate business risk – and the pandemic has brought that responsibility into sharper focus. Its unprecedented impact has highlighted the interconnectedness of risks and the velocity at which the risk landscape can change. In this environment, how can boards be sure that risks are managed effectively across the organisation? And more fundamentally, how can they prioritise risks when the economic, societal and technological landscape remains so dynamic?

The EY Global Center for Board Matters recently interviewed seven leading board directors across the globe to understand if and how their attitudes to risk management have changed in light of the pandemic. Four insights emerged into how boards can change their approach to risk management to reframe the future of their organisations:

1. Protect more than shareholder value

Risk has always been tricky. Understanding new and emerging risks to business during a pandemic that impacted the lives of so many globally has added a new layer of complexity. Transitioning entire workforces to remote working, building resilience and business continuity while transforming business models, and solving societal challenges – all pressing matters unearthed by the COVID-19 pandemic – raised the question: “Have businesses’ responsibilities to society changed – and, what do you see as the role of the board in response to this?”

“Boards need to be much more aware of the responsibility we have to society. And if we don't do that practically, society will force us. For example, since the pandemic there’s been an increased recognition of the responsibility that businesses have for not only their direct employees but also those in the supply chain. So, there will be heightened focus on wages and working conditions across businesses’ entire supply chains.”
Robin Stalker, supervisory board member and member of risk and audit committees, including for Commerzbank

The days are gone of boards thinking about risk purely in relation to shareholder value. Directors today must consider their role in mitigating risks to a broad set of stakeholders, including employees, customers, suppliers and the wider society. In particular, the importance of looking after employees has risen, not merely regarding basic health and safety but in protecting their mental health and work-life balance. Any board previously not paying attention to long-term value and purpose must now put it front and centre of their discussions, or risk capital and talent shifting towards businesses that do. They should start by working with management to define a purpose that underpins the business. This may include rethinking management KPIs.

2. Enter listening and learning mode

Before COVID-19, EY’s Global Board Risk Survey revealed that businesses were not only failing to pay enough attention to emerging and existential threats, but were not equipped to adequately understand, detect and mitigate certain types of risk. Just 21% of boards said their organisation was very prepared to respond to an adverse risk event from a planning, communications, recovery, and resilience standpoint. Since then, the pandemic has made the risk landscape much more volatile. Risks that have long been on the agenda have transformed and intensified, and new risks have emerged that, combined with other threats, can have unforeseen consequences. With the external risk landscape changing so rapidly, how can boards stay ahead of new and emerging trends, and how they present risks and opportunities to their organisations?

“Boards need to be more aware of the societal and technological changes that are taking place. They should listen more to what a diverse range of experts, including academics, government officials and consultants say about major trends. They can’t just workshop these issues themselves. They should follow the three L’s of listening, learning and then leading management.” Only by fully understanding the major societal, technological and geopolitical changes can boards conduct the future-back planning necessary to mitigate risk.”
Alfonso Gonzalez Migoya, board member, including for Volaris

The message is clear here: Boards must enter listening-and-learning mode to stay on top of megatrends and have a better view of the shifting risk environment.

3. Make risk a mandatory agenda item at every board meeting

Considering that there are only 24 hours in a day, and that the risk landscape is becoming ever more volatile, we asked: “How much more time do boards need to devote to risk?”

“It’s become more important for board directors on risk committees to spend the time to build up an understanding of operational risks from the bottom up so that they can have informed conversations with the wider board about how they impact on delivery of strategy. If you don’t spend enough time doing this then corporate risk registers become too top-level and generic. You need to carve out enough time to do some really deep dives into particular risk areas.”
Andrew Tivey, non-executive director and audit, risk and compliance committee chair for the UK National Crime Agency

“Risk has to be a continuous discussion in the boardroom. In the past, boards made a strategy document, and a three- to five-year plan, then put it on the shelf. But today's high-performing boards have strategic conversations at every board meeting because the pace of disruption necessitates it. The same needs to happen with risk, because risks have to align to and support strategy. You can’t discuss strategy without discussing risk.”
Dona Young, chair, risk committee, supervisory board of Aegon NV; lead independent director at Foot Locker.

Boards need to get comfortable with discussing risk more frequently, enhancing engagement and communication with management to understand where risk may materialise within the business. They should also use these meetings to scrutinise management on the effectiveness of risk basics, such as the adequacy of business continuity plans. In the past, boards may have only discussed business continuity plans in passing. But recent events – and the potential for further crises – mean boards must ensure that management has these basics in place, but more importantly has a plan to test and review on a regular basis. Risk should form part of every strategy discussion – so the full board will need to ensure risk identification and management aligns to and supports this objective.

4. Search for hidden concentration risk

The COVID-19 crisis has highlighted that risks are interconnected, can appear out of nowhere and materialise at speed, so we asked directors: “Which areas of risk require deeper focus at board level, and what’s the best way to do this?”

“A lot of people understand the networking effect of risks. But the next question is around the velocity of change of the risk. Few people had a pandemic on their risk matrix because it was such a low probability. Understanding both the network and velocity effect of risks can highlight potential disruptions to supply chain, lack of access to key people within the company, all the way through to a potential economic downturn. Understanding the variation and range of individual board member’s perspectives on risks to come to a more considered consensus will be very important.”
Diane Smith-Gander, board director including for AGL Energy and Wesfarmers

Companies will need to have clarity around the shifting nature of risk to ensure business continuity. Before COVID-19, boards only considered supply chain disruption their 10th most significant business risk. Today, they have been forced to acknowledge supply chain disruption as a major threat and, as such, work with management to remediate any risks created by overreliance on certain suppliers. It is critical for the board to hold management to account on how concentration risk is being managed, both within supply chains and across the entire business.


In summary, directors must respond to the profound impact of COVID-19 on the business risk landscape. As a starting point, they must rethink for whom they are mitigating risks. Historically, boards focused on risks to shareholder value. Today, they must focus on risks to a broader set of stakeholders. With risks changing and emerging at speed, it is also imperative to spend enough time on understanding exactly how the risk landscape is changing. And this can only be done if board directors devote enough time to risk. By doing this, board directors can help their businesses reframe their future and emerge from the crisis more resilient and stronger.


EY Global Center for Board Matters

  • Tags : CG

Other Trending